2 Some Industry Specific Standards (CJIS) Criminal Justice Information Services (CSA) Cloud Security Alliance (FERPA) Family Educational Rights and Privacy Acts (HIPAA) Health Insurance Portability and Accountability Act (MPAA) Motion Picture Association of America AWS Global Infrastructure Physical and Environmental Security The data centers that amazon houses are state of the art using architectural and engineering. Amazon has had experience with operating large scale data center for year now. Physical access to facilities is strictly controller by security staff. Amazon only provides data center access and information to employees and contractors who have legitimate business and need such privileges. Fire Detection and Suppression AWS data centers have an automatic fire detection and suppression to reduce risk. The fire detection system consist of mechanical and electrical infrastructural spaces, chiller rooms and generator rooms. These areas are also protected by wet pipe, double interlocked pre action, or gaseous sprinkler system. AWS Global Infrastructure Continued Power AWS data centers power systems are designed to be redundant and maintainable with out impact to operations 24/7. (UPS) Uninterruptible power supply in the event of electrical failure and essential loads in the facility. Climate and Temperatures Climate control is required to prevent the over heating of servers and other hardware to reduce the risk of outages. AWS facilities have personnel and system monitors that maintain temperatures and humidity at appropriate levels. Management AWS monitors electrical, mechanical, and life support systems and other equipment so that any issue are identified immediately. The AWS staff performs preventive maintenance to maintain operability of equipment. Storage Device Decommissioning - When a storage device reaches the end of its useful life, AWS procedure includes a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. 2

3 Business Continuity Management Amazon s infrastructure has a high level of availability and provides customers with the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal impact to the customer. Availability Data centers are built in clusters in various global regions. All Amazon data centers are online and serving customers. In case of any failures traffic is directed away from the affected area. Core applications are deployed in a N+1 configuration so that in an event of failure there is sufficient capacity to enable traffic to be load balanced to remaining sites. AWS provides customers with flexibility to place instance and store data in different geographic regions and across different availability zones within each region. Each AZ is designed as an independent failure zone. Incident Response The Amazon Incident Management team employs industry standard diagnostic procedures to drive resolution business impacting events. Staff operates 24/7 with 365 days of coverage to detect incidents 3

4 Communication AWS has implemented an internal communication method at a global level to help employees understand their respectful role and to communication significant events in a timely manner. Such methods are orientations, job training, and video conferences, etc via Amazon intranet. AWS has implemented a strong external communication method to support its customer base and community. A Service Health Dashboard is available and maintained to alert customer of issue that may be of broad impact. Network Security The AWS network has been architected to permit you to select the level of security and resiliency appropriate for your workload. To enable you to build geographically dispersed, fault-tolerant web architectures with cloud resources, AWS has implemented a world-class network infrastructure that is carefully monitored and managed. Secure Network Architecture Network devices, including firewalls and other boundary devices are in place to monitor and control communications. These boundary devices employ rule sets, access control lists, and configurations to enforced the flow of information to specific information systems services. ACLs, or traffic flow policies and are established on each to managed interfaced which manage and enforce the flow of traffic. ACL policies are approved Amazon Information Security. These policies are automatically pushed to ensure these managed interfaces have the most up to date ACLs 4

5 Secure Access Points AWS have strategically placed limited access points to the cloud. Customer can access use access points called APIs endpoints, and they permit secure HTTP access that allow you to create a communication session with AWS. To support customers with Federal Information Processing Standard (FIPS) cryptographic requirements the Secure Sockets Layer (SSL) terminating loading balancers in AWS GovCloud (US) are FIPS compliant. AWS has implemented network devices that are dedicated to managing interfacing communications with internet service providers. Transmission Protection You can connect to an AWS access point via HTTP or HTTPS using SSL, a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. For those who need extra layers of network security AWS offers Amazon Virtual Private Cloud which provides a private subnet with the AWS cloud and the ability to use IPSec Virtual Private Network (VPN) device to provide an encrypted tunnel. Network Monitoring and Protection Distributed Denial of Service (DDoS) Attacks AWS APIs endpoints are hosted on a large internet scale and built on the same infrastructure that Amazon was built on. Proprietary DDos mitigation techniques are used. Man in the Middle (MITM) Attacks All of AWS APIs are available via SSL protected endpoints that provide server authentication. Amazon EC2 AMIs automatically generate new secure shells (SSH) host certificates on first boot and log them to the instances console. IP Spoofing Amazon EC2 cannot send spoof network traffic. The AWS firewall will not permit an instance to send traffic with a source IP or MAC address other than its own. 5

6 8/3/17 Network Monitoring and Protection Con Port Spoofing Unauthorized ports scans by Amazon EC2 customers are a violation of AWS Acceptable Use Policy. Violations of the AWS AUP are taken seriously and every reported violation is investigated. When detected that port is stopped and closed. You can request conduct vulnerability scans as required to meet your compliance requirements. These scans are limited to your own instances and must not violate Amazon AUP. Packet Sniffing by Other Teams While Amazon does not provide ample protection against one customer inadvertently or maliciously attempting to view another customer s data as a standard practice you should encrypt sensitive traffic. AWS Account Security Features Amazon provides many tools and features that you can use to keep your AWS account and resources safe from unauthorized use. Credentials AWS uses several credentials for authentications 6

7 AWS Cloud Service-Specific Security Compute Services - AWS provides a variety of cloud based computing services that include a wide selection of compute instances that can scale up or down automatically. EC2 Security Consists of Multiple Levels of Security, The Hypervisor, Instance Isolation, Host Operating, System and Guest Operating System, API Access, Amazon EBS Security Networking AWS provides a range of networking services that enable you to create a logically isolated network that you define, established a private network connection to AWS cloud use a highly available and scalable DNS service, and deliver content to your end user with low latency at high data transfer speeds. Elastic Load Balancing Security Takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer. Offers clients a single points of contact, and can also serve as the first line of defense against attacks on your network. When used in an Amazon VPC, supports creation and management of security groups associated with your ELB to provide additional networking and security options Supports end to end traffic encryption using TLS ( previously SSL) on those networks that use secure HTTP (HTTPS) connections. 7

8 Amazon VPC Security We have already saw in earlier chapters how we can make our Amazon Virtual Private Cloud more secure by using the following security options: API Access, Subnets and Route Tables, and Security Groups (Firewall) 8

Church360 is a cloud-based application software suite from Concordia Technology Solutions (CTS) that is used by churches of all sizes to manage their membership data, website, and financial information.

SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers

Security Practices Freshservice Security Practices Freshservice is online IT service desk software that allows IT teams of organizations to support their users through email, phone, website and mobile.

Amazon Web Services: Overview of Security Processes November 2014 (Please consult http://aws.amazon.com/security/ for the latest version of this paper) Page 1 of 77 Table of Contents Introduction...5 Shared

Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document

Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS September 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document

Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility

Data Storage, Privacy, and Security [DATA SYSTEM]: Privacy and Security October 2013 Following is a description of the technical and physical safeguards [data system operator] uses to protect the privacy

Magento Commerce Architecture and Security Model Last updated: Aug 2017 Architecture The Magento Commerce architecture is designed to provide a highly secure environment. Each customer is deployed into

AWS Webinar Navigating GDPR Compliance on AWS Christian Hesse Amazon Web Services What is the GDPR? What is the GDPR? The "GDPR" is the General Data Protection Regulation, a significant new EU Data Protection

10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents

The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

Accelerating the HCLS Industry Through Cloud Computing Use cloud computing to accelerate life sciences and healthcare specific workloads, and meet the unique computation, storage, security, and compliance

TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud The Motion Picture of America Association (MPAA) has established a set of best practices

WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and

Intermedia s Private Cloud Exchange This is a practical guide to implementing Intermedia s Private Cloud Exchange on AWS. Intermedia, the world s independent provider of Hosted Exchange, and AWS, the leading

Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

CYBER SECURITY WHITEPAPER ABOUT GRIDSMART TECHNOLOGIES, INC. GRIDSMART Technologies, Inc. provides Simple, Flexible, and Transparent solutions for the traffic industry that collect and use data to make

Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

Networking in AWS 2017 Amazon Web Services, Inc. and its affiliates. All rights served. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon Web Services,

Children s Health System Remote User Policy July 28, 2008 Reason for this Policy This policy defines standards for connecting to the Children s Health System (CHS) network from any remote host. These standards

Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them

Technical Whitepaper Security Overview As a team, we have a long history of developing and delivering HR software solutions to customers worldwide, including many of the world s most-demanding organisations.

Information Security at Veritext Protecting Your Data The Veritext Security Model Introduction Information security and privacy are built into the fabric of everything we do at Veritext. Helping to protect

Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or

Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to

CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part I By Debbie C. Sasso Principal When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits

Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized

Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience

7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for